Can an employee be found criminally or civilly liable under the Computer Fraud and Abuse Act (CFAA”) for accessing digital information to which she or he had authorization when done for an improper purpose? The answer prior to the June 2021 decision by the U.S. Supreme Court in Van Buren v. United States, 141 S. Ct. 1648 (2021), was unclear and varied between jurisdictions.
The Computer Fraud and Abuse Act:
Under the Computer Fraud and Abuse Act, civil and criminal liability may be pursued against any person who knowingly accesses a computer without authorization or “exceeds authorized access” to obtain and or misuse information from the computer.1 The Act defines “exceeds authorized access” as “access[ing] a computer with authorization to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter…”2 The statute does not contain a definition of “with authorization” or “without authorization,” which contributed to inconsistent lower federal court decisions.
Van Buren’s Misuse:
Nathan Van Buren served as a sergeant in the Cumming, Georgia Police Department. His position afforded him authorized access to the Georgia Crime Information Center, which included the authority to scan license plates from his patrol car. Andrew Albo was known by the local police to patronize prostitutes and then accuse them of stealing money from him. Albo recorded a conversation in which Van Buren asked him for a $15,000 loan and provided the recording to the local sherrif’s office, alleging that Van Buren was “shaking him down.” After being contacted by the sheriff’s office, the FBI set up a sting operation in which Albo asked Van Burn to run the license plate of a stripper he was supposedly interested in soliciting for sexual services to see if she was an undercover police officer before he would provide Van Buren with the full amount of the loan. Van Buren complied with the request and was arrested. A jury convicted him under the CFAA and sentenced him to eighteen months in prison. Van Buren appealed to the Eleventh Circuit, arguing that the prosecution’s analysis of the CFAA, that an employee with authorized access to a database who used it for purposes inconsistent with the employer’s interest violated the CFAA, was flawed. In upholding the conviction, the Eleventh Circuit chose not to apply a narrower interpretation of “with authorization” that certain other circuit courts had used.
Supreme Court Decision:
In its Decision reversing the Eleventh Circuit, the Supreme Court held that the CFAA does not cover “those who… have improper motives for obtaining information that is otherwise available to them.”3 Specifically, Justice Amy Coney Barrett, writing for a majority of six, with Chief Justice Roberts and Justices Thomas and Alito in dissent, wrote that a person violates the “exceeds authorized access” language of the CFAA only when they access information that that is off-limits to them in a database or computer network to which they otherwise have access. Justice Barrett pointed out that Van Buren, on the other hand, obtained information to which he was entitled and held that the fact that he did so for an improper purpose did not violate the CFAA. A contrary holding that every violation of a computer-use policy violated the CFAA. Justice Barrett wrote, would lead to the conclusion that millions of otherwise law-abiding citizens could be subjected to criminal sanctions under the CFAA. Under the Court’s analysis, prosecutors and company plaintiffs would have to prove that an employee misused computers, servers, or software she or he did not have the authority to access, or whose access had expired, in order to convict or impose civil liability under the CFAA. Accessing data for a nefarious purpose, the Court held, is not alone sufficient to justify criminal or civil liability under the CFAA.
Justice Barrett wrote that Van Buren’s use of the license plate scanner in the manner he was permitted, “regardless of whether he [scanned] the information for a prohibited purpose,” did not violate the CFAA.4 The Government interpretation and Eleventh Circuit ruling would “attach criminal penalties to a breathtaking amount of commonplace computer activity…”5 adding “extra icing on a cake already frosted,” according to the majority.6
The decision in Van Buren means that the CFAA criminalizes computer hacking but does not extend to criminalize violations of “purpose-based limits contained in contracts and workplace policies.”7 A person with access to a set of files who uses them in a way prohibited by her or his employment contract would not violate the CFAA by doing so. An infraction would occur only if that person hacked into files he or she was unauthorized to use. Of course, such actions, though not criminal under the CFAA, would almost certainly violate company policies or breach an employment agreement.
Next Steps for Employers:
In view of Van Buren, employers concerned with protecting sensitive information on company servers should implement multiple measures to secure it such as:
- Reassessing company security policies;
- Investing in encryption software or renewing existing encryption services;
- Requiring that existing employees and new hires sign confidentiality agreements; and
- Limiting access to protected files to individuals responsible for their contents.
1 18 U.S.C § 1030(a)(2).
3 Van Buren v. United States, 141 S. Ct. 1648 at 1652.
4 Van Buren, 141 S. Ct. at 1654.
5 Id. at 1661.
6 Id. quoting Yates v. United States, 135 S. Ct. 1074 (2015)
7 Id. at 1662.
Richard B. Friedman
Richard Friedman PLLC
200 Park Avenue Suite 1700
New York, NY 10166
Connect with me on Linkedin